Ep 518: CCPA/CPRA Explained - What Every Ecommerce Tech Manager Must Know | AKNF - DTC Podcast

Summary

DTC Podcast - Episode 518: CCPA/CPRA Explained - What Every Ecommerce Tech Manager Must Know | AKNF

Release Date: June 20, 2025

In Episode 518 of the DTC Podcast, hosted by the DTC Newsletter and Podcast team, Eric Dick engages in an in-depth discussion with Richard, the Technical Manager at Pilothouse, about California's Consumer Privacy Act (CCPA) and the subsequent California Privacy Rights Act (CPRA). This episode serves as a crucial guide for ecommerce businesses navigating the complexities of data privacy laws, particularly those operating or engaging with customers in California.

1. Understanding CCPA and CPRA

[00:00 - 02:30]

Richard begins by clarifying the distinctions between CCPA and CPRA:

CCPA (2020): Grants California residents rights to know what personal information is collected, the purpose behind its collection, and the third parties with whom it is shared. It also allows them to request data deletion and opt-out of the sale of their personal information.
CPRA (2023): Enhances CCPA by adding rights to correct inaccurate information and establishing the California Privacy Protection Agency to enforce the law.

Notable Quote:

"The CCPA 2020 is the California Consumer Privacy Act. This gave people, residents of California, the right to know what personal information is collected about them..." — Richard [02:56]

2. Importance of Compliance for Ecommerce Businesses

[02:30 - 07:18]

Richard emphasizes the necessity for businesses to comply with CCPA/CPRA, especially if they engage with California residents. Non-compliance can lead to significant penalties:

Civil Penalties: Up to $2,500 per unintentional violation and $7,500 per intentional violation, with fines escalating for repeated offenses.
Consumer Lawsuits: Individuals can sue for damages up to $750 per incident or the actual damages suffered, whichever is greater.
Injunctions and Other Remedies: Courts can issue orders to halt non-compliant practices until issues are resolved.

Notable Quotes:

"If you're doing business with any California residents, there are non-compliance penalties." — Richard [00:05]

"You'll have reduced tracking data and you'll probably see a little bit of a reduction in sales." — Richard [00:51]

3. Applicability and Thresholds

[07:18 - 09:32]

CCPA applies to businesses meeting any of the following criteria:

Gross Annual Revenue: Over $25 million.
Data Handling: Buying, selling, or sharing personal information of 100,000+ California residents or households.
Revenue Source: Deriving 50% or more of annual revenue from selling personal information.

Notable Quote:

"If you're doing business with any California residents, it doesn't matter where you're located." — Richard [09:16]

4. Other State Privacy Laws

[09:32 - 13:28]

Richard outlines that several other states have enacted or are in the process of enacting privacy laws similar to CCPA/CPRA, including Virginia, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and others. Each state has unique thresholds and requirements, underscoring the need for businesses to stay informed and compliant across multiple jurisdictions.

Notable Quote:

"It's all heading that direction... I think everybody's going to have to adhere to it." — Richard [09:32]

5. Steps to Achieve Compliance

[13:47 - 21:15]

Richard outlines a three-step process for ecommerce stores to become CCPA compliant:

Update Privacy Policy: Clearly detail data collection, usage, and sharing practices.
Provide Customer Access to Data: Implement mechanisms allowing customers to view their personal data stored by the business.
Enable Opt-Out Options: Allow customers to opt out of the sale or sharing of their personal information.

Tools and Extensions:

Shopify Compliance Extensions: Consent Mode, Pandecties, Secure Privacy.
Server-Side Tracking Platforms: Elevar, which integrates with compliance apps like OneTrust, Cookiebot, and others.

Notable Quotes:

"If you want to be above the law, you want to be compliant." — Richard [30:25]

"Consent banners... need to be presented as soon as users hit your site." — Richard [27:16]

6. Impact on Ecommerce Businesses

[21:15 - 30:51]

Implementing compliance measures affects ecommerce operations:

Reduced Tracking Data: Businesses may experience a decrease in analytics and remarketing capabilities.
Potential Sales Reduction: Some businesses reported significant drops in conversions and overall sessions; however, actual purchase reductions might be minimal.
Data Management: Existing customer data must be imported into compliance platforms or securely deleted to prevent breaches.

Case Study: A recent client faced a 28% reduction in Google Ads conversions and a 58% decrease in overall sessions after implementing compliance measures, but only a 4% drop in actual purchases.

Notable Quotes:

"You will have reduced tracking data and you'll probably see a little bit of a reduction in sales." — Richard [00:51]

"They saw a 28% reduction in conversions coming through on Google Ads." — Richard [29:33]

7. Challenges and Opinions on Current Legislation

[30:51 - 35:46]

Both hosts express concerns over the breadth and enforcement of CCPA/CPRA:

Overreach: The regulations may be too broad, affecting legitimate businesses that rely on data for operations and growth.
Litigation Risks: The U.S. legal landscape is highly litigious, with potential for frivolous lawsuits exploiting the laws.

Richard shares his personal stance, feeling that while data privacy is essential, the current implementation may hinder business growth and data-driven marketing strategies.

Notable Quotes:

"I think it's gone too far the way of." — Richard [21:53]

"The US is particularly litigious and frivolous." — Richard [24:31]

8. Future Directions and Personal Insights

[35:46 - End]

Looking ahead, Eric speculates on a future where AI manages personal data profiles, offering users more control and monetization opportunities. Richard agrees, envisioning a system where AI intermediates consent across platforms, simplifying the user experience while maintaining data privacy.

Notable Quotes:

"We're going to have our data profiles that are a bigger part of who we are and what we recognize." — Eric [34:11]

"AI can knows me and then I go to any site and it just preemptively just goes, yeah, Richard, he's good to go." — Richard [35:20]

Conclusion

The episode underscores the critical importance of understanding and complying with data privacy laws like CCPA and CPRA for ecommerce businesses. While compliance may pose challenges, including reduced data and potential sales impacts, it is essential to mitigate legal risks and build customer trust. Utilizing specialized tools and staying informed about evolving privacy regulations across different states will be pivotal for businesses aiming to thrive in a privacy-conscious market.

Final Thoughts:

"But you just have to ... make sure you're compliant." — Eric [35:46]

Resources Mentioned:

Compliance Extensions for Shopify:
- Consent Mode
- Pandecties
- Secure Privacy
Server-Side Tracking Platforms:
- Elevar
Compliance Apps:
- OneTrust
- Cookiebot
- User Centrics
- TrueVault

For more detailed insights and assistance with compliance, listeners are encouraged to reach out to Richard at Pilothouse or visit directtoconsumer.co.

This summary captures the essential discussions and insights from Episode 518 of the DTC Podcast, providing a comprehensive overview for listeners and those interested in ecommerce data privacy.

Summary

DTC Podcast - Episode 518: CCPA/CPRA Explained - What Every Ecommerce Tech Manager Must Know | AKNF

Release Date: June 20, 2025

1. Understanding CCPA and CPRA

[00:00 - 02:30]

Richard begins by clarifying the distinctions between CCPA and CPRA:

CCPA (2020): Grants California residents rights to know what personal information is collected, the purpose behind its collection, and the third parties with whom it is shared. It also allows them to request data deletion and opt-out of the sale of their personal information.
CPRA (2023): Enhances CCPA by adding rights to correct inaccurate information and establishing the California Privacy Protection Agency to enforce the law.

Notable Quote:

"The CCPA 2020 is the California Consumer Privacy Act. This gave people, residents of California, the right to know what personal information is collected about them..." — Richard [02:56]

2. Importance of Compliance for Ecommerce Businesses

[02:30 - 07:18]

Richard emphasizes the necessity for businesses to comply with CCPA/CPRA, especially if they engage with California residents. Non-compliance can lead to significant penalties:

Civil Penalties: Up to $2,500 per unintentional violation and $7,500 per intentional violation, with fines escalating for repeated offenses.
Consumer Lawsuits: Individuals can sue for damages up to $750 per incident or the actual damages suffered, whichever is greater.
Injunctions and Other Remedies: Courts can issue orders to halt non-compliant practices until issues are resolved.

Notable Quotes:

"If you're doing business with any California residents, there are non-compliance penalties." — Richard [00:05]

"You'll have reduced tracking data and you'll probably see a little bit of a reduction in sales." — Richard [00:51]

3. Applicability and Thresholds

[07:18 - 09:32]

CCPA applies to businesses meeting any of the following criteria:

Gross Annual Revenue: Over $25 million.
Data Handling: Buying, selling, or sharing personal information of 100,000+ California residents or households.
Revenue Source: Deriving 50% or more of annual revenue from selling personal information.

Notable Quote:

"If you're doing business with any California residents, it doesn't matter where you're located." — Richard [09:16]

4. Other State Privacy Laws

[09:32 - 13:28]

Notable Quote:

"It's all heading that direction... I think everybody's going to have to adhere to it." — Richard [09:32]

5. Steps to Achieve Compliance

[13:47 - 21:15]

Richard outlines a three-step process for ecommerce stores to become CCPA compliant:

Update Privacy Policy: Clearly detail data collection, usage, and sharing practices.
Provide Customer Access to Data: Implement mechanisms allowing customers to view their personal data stored by the business.
Enable Opt-Out Options: Allow customers to opt out of the sale or sharing of their personal information.

Tools and Extensions:

Shopify Compliance Extensions: Consent Mode, Pandecties, Secure Privacy.
Server-Side Tracking Platforms: Elevar, which integrates with compliance apps like OneTrust, Cookiebot, and others.

Notable Quotes:

"If you want to be above the law, you want to be compliant." — Richard [30:25]

"Consent banners... need to be presented as soon as users hit your site." — Richard [27:16]

6. Impact on Ecommerce Businesses

[21:15 - 30:51]

Implementing compliance measures affects ecommerce operations:

Reduced Tracking Data: Businesses may experience a decrease in analytics and remarketing capabilities.
Potential Sales Reduction: Some businesses reported significant drops in conversions and overall sessions; however, actual purchase reductions might be minimal.
Data Management: Existing customer data must be imported into compliance platforms or securely deleted to prevent breaches.

Case Study: A recent client faced a 28% reduction in Google Ads conversions and a 58% decrease in overall sessions after implementing compliance measures, but only a 4% drop in actual purchases.

Notable Quotes:

"You will have reduced tracking data and you'll probably see a little bit of a reduction in sales." — Richard [00:51]

"They saw a 28% reduction in conversions coming through on Google Ads." — Richard [29:33]

7. Challenges and Opinions on Current Legislation

[30:51 - 35:46]

Both hosts express concerns over the breadth and enforcement of CCPA/CPRA:

Overreach: The regulations may be too broad, affecting legitimate businesses that rely on data for operations and growth.
Litigation Risks: The U.S. legal landscape is highly litigious, with potential for frivolous lawsuits exploiting the laws.

Richard shares his personal stance, feeling that while data privacy is essential, the current implementation may hinder business growth and data-driven marketing strategies.

Notable Quotes:

"I think it's gone too far the way of." — Richard [21:53]

"The US is particularly litigious and frivolous." — Richard [24:31]

8. Future Directions and Personal Insights

[35:46 - End]

Notable Quotes:

"We're going to have our data profiles that are a bigger part of who we are and what we recognize." — Eric [34:11]

"AI can knows me and then I go to any site and it just preemptively just goes, yeah, Richard, he's good to go." — Richard [35:20]

Conclusion

Final Thoughts:

"But you just have to ... make sure you're compliant." — Eric [35:46]

Resources Mentioned:

Compliance Extensions for Shopify:
- Consent Mode
- Pandecties
- Secure Privacy
Server-Side Tracking Platforms:
- Elevar
Compliance Apps:
- OneTrust
- Cookiebot
- User Centrics
- TrueVault

For more detailed insights and assistance with compliance, listeners are encouraged to reach out to Richard at Pilothouse or visit directtoconsumer.co.

This summary captures the essential discussions and insights from Episode 518 of the DTC Podcast, providing a comprehensive overview for listeners and those interested in ecommerce data privacy.

wavePod

Ep 518: CCPA/CPRA Explained - What Every Ecommerce Tech Manager Must Know | AKNF

Powered by Wave AI

Summary

1. Understanding CCPA and CPRA

2. Importance of Compliance for Ecommerce Businesses

3. Applicability and Thresholds

4. Other State Privacy Laws

5. Steps to Achieve Compliance

6. Impact on Ecommerce Businesses

7. Challenges and Opinions on Current Legislation

8. Future Directions and Personal Insights

Conclusion

Summary

1. Understanding CCPA and CPRA

2. Importance of Compliance for Ecommerce Businesses

3. Applicability and Thresholds

4. Other State Privacy Laws

5. Steps to Achieve Compliance

6. Impact on Ecommerce Businesses

7. Challenges and Opinions on Current Legislation

8. Future Directions and Personal Insights

Conclusion